Security no match for theater lovers

An annual survey on social engineering is a real show stopper, given the overwhelming number of people who gave up confidential information within three minutes. At least last year they walked away with a chocolate egg.

Claire Sellick approached a woman in London's tony theater district with a clipboard and a chance to win tickets to an upcoming show. All the woman had to do was answer a three-minute survey on locals' theater-going habits. Or so she thought.

By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The first question was easy. "What's your name?" Next came questions about her attitude towards the theater, with more personal inquiries interjected now and then. For instance, the survey company needed the woman's date of birth (to prove she was legally able to win the seats) and her mother's maiden name (for later verification) and her address, of course, to mail the tickets if she won the drawing. What about a phone number? Her pet's name? The name of the first school she attended?

At some point, the woman began connecting the dots. "I work for a bank and this information could be used to open a bank account."

"Yes," Sellick responded.

The event director for the Infosecurity Europe trade show recalled with incredulity what happened next. "She then proceeded to give me all her details!"

That encounter is recounted in the conference's annual pulse-taking of people's susceptibility to social engineering. The results typically are released a few weeks

before Infosecurity Europe kicks off in London to drum up publicity and to track the public's propensity to easily divulge sensitive data. Last year, people at a transit station gladly gave up their passwords for a chocolate Easter egg. This year, they provided all the ingredients for their identities to be stolen for a chance to see a show. [Conference organizers did make good on their promise and sent ticket vouchers to three randomly drawn winners, then destroyed all the data they collected.]

"For the past 10 years, we have endeavored to highlight many of the common IT security concerns and vulnerabilities, such as information breaches via employees and consumers," Sellick said in a statement. "This survey showed how easy it is to steal a person's identity and breach a company's security. Security is only as good as the awareness of the people it protects."

One man provided all his information without question, but returned five minutes later asking for it back, as he thought that we could use it to gain access to his online bank account. Claire Sellickexecutive directorInfosecurity Europe

It's difficult to say how many Americans would fall for the same ploy, given the recent non-stop news coverage of security breaches at college campuses and high-profile companies like data brokers Lexis-Nexis and ChoicePoint. Some high-profile cases involve hacking network servers; ChoicePoint's case had scam artists pose as customers to steal identities.

Regardless, the latest survey of 200 people at London High Streets does serve as yet another wake-up call that even the most hardened corporate networks can be breached by a loose-lipped employee. And that identity theft will continue to top the Federal Trade Commission's complaint list, as it has the last five years, so long as people are so easily conned.

Consider the following findings from the theater experiment:

100% provided their names upon request

94% provided pet's names (common passwords) and their mother's maiden name (common second form of authentication) when told actors frequently use both to create stage names.

98% gave their address in order to receive a winning voucher.

96% divulged the name of their first school. Combined with mother's maiden name, the two are key pieces of information used by banks for verification.

92% provided their date of birth and the same number supplied their home phone number.

Are people that gullible?

SoundOff on if these survey results ring true in your organization. Or were the security folks the ones that were conned?

There's always the possibility some gave bogus information. And it's promising that others did realize they gave away too much information, if belatedly.

One man "provided all his information without question, but returned five minutes later asking for it back, as he thought that we could use it to gain access to his online bank account," Sellick recalled. "We gave him back his survey form, but did not provide any evidence of who we were. If we had been fraudsters, he would have been too late."

E-Handbook

0 comments

E-Mail

Username / Password

Password

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy